Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000215519

Dell Networking SONiC System Log Messages and Audit logs

Summary: This article explains system messages, and audit logs in Dell Networking SONiC switches.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions

Index

System Logs
Audit Logs

System Logs

What is system log?

System log file or syslog is record of all logging-enabled transactions of various process in a switch. Syslog alerts are generated for significant events on the system. They include events such as, memory utilization, disk partition utilization, CPU thresholds, and so on.

System logs are enabled by default. This information can help the switch administrator troubleshoot issues related to switch and network.

Log messages are classified based on severity level.

The log message levels are:
 
Severity Level
Debugging 7
Informational 6
Notification 5
Warnings 4
Errors 3
Critical 2
Alerts 1
Emergencies 0


How to view System log messages

Dell Networking SONiC system logs can be viewed using the below command:

Sample Output 
show logging

DELLSONiC# show logging
Jul 04 17:22:05.528854+00:00 2023 sonic NOTICE syncd#syncd: :- setPort: setting admin UP on eth1 Eth1/1 portId oid:0x100000001
Jul 04 17:22:05.531292+00:00 2023 sonic NOTICE l2mcd#l2mcmgrd: :- doL2McInterfaceUpdateTask: L2MCD_CFG: IF:Eth1/1 op:SET oper:0
Jul 04 17:22:05.535991+00:00 2023 sonic NOTICE l2mcd#Logs: l2mcd_port_list_update PortInfo RX: Eth1/1, ifidx:4096 oper:1 is_add:1 is_lag:0, kif:29 rx_sock:56
Jul 04 17:22:05.536061+00:00 2023 sonic NOTICE syncd#syncd: :- syncOnLinkMsg: newlink: ifindex: 3, ifflags: 0x1103, ifname: eth1
Jul 04 17:22:05.536185+00:00 2023 sonic NOTICE syncd#syncd: :- asyncOnLinkMsg: received RTM_NEWLINK ifname: eth1, ifflags: 0x11143, ifindex: 3
Jul 04 17:22:05.537401+00:00 2023 sonic NOTICE swss#orchagent: :- doTask: Get port state change notification id:1000000000002 status:1
Jul 04 17:22:05.537401+00:00 2023 sonic NOTICE swss#orchagent: :- updatePortOperStatus: Port Eth1/1 oper state set from down to up


How to view System log messages count

Dell SONiC stores a lot of log messages. To view the number of log messages, use the below command: 
Sample Output 
show logging count

DELLSONiC# show logging count
438


How to view latest System log messages

Often it is useful to see the latest log messages. Use the below command to view the messages: 

Sample Output 
show logging lines <Number of log messages>

DELLSONiC# show logging lines 3
Jul 04 17:24:18.550108+00:00 2023 sonic NOTICE syncd#syncd: :- process_packet_for_fdb_event: Learn New MAC V:1 P:1/0/0
Jul 04 17:24:18.550108+00:00 2023 sonic WARNING syncd#syncd: :- findBridgeVlanForPortVlan: failed to find bv_id for vlan 1 and port_id oid:0x100000001
Jul 04 17:24:18.550108+00:00 2023 sonic WARNING syncd#syncd: :- process_packet_for_fdb_event: skipping mac learn for {"bvid":"oid:0x0","mac":"00:00:5E:00:01:01","switch_id":"oid:0x2100000000"}, since BV_ID was not found for mac


How to view log messages with a specific pattern

You can grep ( | ) to search for Log messages of a specified pattern. Use the below command to grep:

In bellow example, we are viewing log messages which have a pattern Eth1/1.

Sample Output 
show logging | grep <pattern>

DELLSONiC# show logging | grep Eth1/1
Jul 04 17:22:01.141637+00:00 2023 sonic NOTICE l2mcd#l2mcmgrd: :- doL2McInterfaceUpdateTask: L2MCD_CFG: IF:Eth1/1 op:SET oper:0
Jul 04 17:22:01.142410+00:00 2023 sonic NOTICE l2mcd#l2mcmgrd: :- doL2McInterfaceUpdateTask: L2MCD_CFG: IF:Eth1/1 op:SET oper:0
Jul 04 17:22:01.142410+00:00 2023 sonic NOTICE l2mcd#Logs: l2mcd_port_list_update PortInfo RX: Eth1/1, ifidx:4096 oper:0 is_add:1 is_lag:0, kif:29 rx_sock:56
Jul 04 17:22:01.151251+00:00 2023 sonic NOTICE macsec#hostapdmgrd: :- processHostapdConfigPortTblEvent: Received Eth1/1 as key and SET as OP


How to send log message to remote Syslog server

Dell SONiC can send system logs to a remote server. Use the below command:

In bellow sample command, we are sending log messages to remote syslog-server 192.168.1.10. If you are specifying a hostname, ensure to configure name server.

Sample Output 
logging server <ip-address/hostname>

DELLSONiC#
DELLSONiC# configure terminal
DELLSONiC(config)# logging server 192.168.1.10
You can also specify port number, source interface, severity, or vrf.


How to clear system logs

To clear system log files, use the below command: 

Sample Output 
clear logging

DELLSONiC# clear logging
 

Audit Logs

What is audit Log?

All User activity in a Dell SONiC switch like a login, configuration changes is recorded in audit logs. An audit log is handy while doing security audits.

The audit log records the following:
  • User Login and logout using SSH or Console
  • All show commands and configuration run using Dell SONiC CLI, gNMI, and REST API operations.

How to view audit Logs

Use the below command to view audit logs

Sample Output 
show audit-log

DELLSONiC# show audit-log
Jul 04 17:31:40.664313+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: User "admin" command "exit" status - success
Jul 04 17:31:32.701465+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: User "admin" command "exit" status - success
Jul 04 17:31:31.206452+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: User "admin" command "no shutdown" status - success
Jul 04 17:31:29.227217+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: User "admin" command "interface Eth1/1" status - success
Jul 04 17:31:25.474110+00:00 2023 DELLSONiC INFO mgmt-framework#clish[161]: User "admin" command "configure terminal" status - success
Jul 04 17:31:23.480896+00:00 2023 DELLSONiC INFO mgmt-framework#clish[161]: User "admin" command "startup" status - success
Jul 04 17:31:23.455134+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: message repeated 2 times: [ User "admin" command "exit" status - success]
Jul 04 17:31:19.567044+00:00 2023 DELLSONiC INFO login[21895]: pam_unix(login:session): session opened for user admin by LOGIN(uid=0)

We can see from the above output that user admin has shutdown interface Eth1/1 on July 04 17:31.


How to clear audit logs.

Use the below command to clear audit logs:

Sample Output 
clear audit-log

DELLSONiC# clear audit-log
We can see the clear audit-log is cleared and the first entry shows audit-log is cleared and the time 
DELLSONiC# show audit-log
Jul 04 17:32:47.835891+00:00 2023 DELLSONiC INFO mgmt-framework#sonic-cli: User "admin" command "clear audit-log" status - success
DELLSONiC#
 
NOTE: Only users with admin role can view and clear the audit log.

For further assistance, see Dell Support Enterprise SONiC Distribution Product Page to view Enterprise SONiC User Guide Release Documentation or reach out to Dell Technologies Support.

Additional Information

Refer to this video:


You can also view this video on YouTube .

Article Properties

Affected Product
Enterprise SONiC Distribution, PowerSwitch E3200-ON Series, Dell EMC Networking N3200-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON , PowerSwitch Z9332F-ON, PowerSwitch Z9432F-ON, PowerSwitch Z9664F-ON ...
Last Published Date

06 Dec 2023

Version

6

Article Type

How To

Back to Top